From d1aee2f30e507d7c1b2d92b37064734331399d73 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Tue, 24 Mar 2026 23:56:40 -0700
Subject: [PATCH] vade: prefer FIDO2 over passphrase for LUKS unlock

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 hw/vade/hardware-configuration.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/vade/hardware-configuration.nix b/hw/vade/hardware-configuration.nix
index 044127f..25755f9 100644
--- a/hw/vade/hardware-configuration.nix
+++ b/hw/vade/hardware-configuration.nix
@@ -18,7 +18,13 @@
       fsType = "ext4";
     };
 
-  boot.initrd.luks.devices."luks-e51c3431-ac26-4429-88a6-cebba8878935".device = "/dev/disk/by-uuid/e51c3431-ac26-4429-88a6-cebba8878935";
+  boot.initrd.luks.devices."luks-e51c3431-ac26-4429-88a6-cebba8878935" = {
+    device = "/dev/disk/by-uuid/e51c3431-ac26-4429-88a6-cebba8878935";
+    crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+  };
 
   # Use systemd in initrd for FIDO2 LUKS unlock support
   boot.initrd.systemd.enable = true;